Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 18 replies
  • Subscribers 27 subscribers
  • Views 75863 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing issue - clients unable to access internet

VlystriaOphecs

Hi all,

I have a problem configuring the routing on the XG firewall.

My ISP delivers access through VLAN trunks and requires the following:

VLAN 10 - Internet
VLAN 20 - IPTV

For the IPTV portion, in addition to VLAN 20, the packets has to be marked with PCP value of 4 in order to be delivered.

Referencing to a custom router which was built off Arch Linux which I have tested and worked (refer to attachment: ArchLinux_cfg.zip), I have configured the following in XG which did not work when I plugged my notebook to port 2 of the UTM. It did receive IP and and address but was unable to route beyond the local network. The XG on the other hand have no issue running ping and traceroute to internet addresses.

From what I can tell, it seems the clients can't find a route out of the XG but this should have been dealt with when the policies are defined.

Maybe I have missed out something?

Interface:

DHCP:

Clientless users:

Policies:

Policy ID 1:

Policy ID 2:

Ping and traceroute from XG:

Ping and traceroute from PC connected to Port 4:

Fullscreen Ping 192.168.1.16.txt Download 
Pinging 192.168.1.16 with 32 bytes of data:
Reply from 192.168.1.16: bytes=32 time=1ms TTL=64
Reply from 192.168.1.16: bytes=32 time=2ms TTL=64
Reply from 192.168.1.16: bytes=32 time=1ms TTL=64
Reply from 192.168.1.16: bytes=32 time=1ms TTL=64

Ping statistics for 192.168.1.16:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

Fullscreen Ping 192.168.2.33.txt Download 
Pinging 192.168.2.33 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.2.33:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Fullscreen Ping 8.8.8.8.txt Download 
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Fullscreen Traceroute 8.8.8.8.txt Download 
Tracing route to 8.8.8.8 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  192.168.1.16 
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.

Edited: Replace config text with screenshots of config and included ping and traceroute logs from PC.



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to lferrara

    Hi lferrara,

    I should clarify that VLAN 10 and 20 is defined on the WAN interface as my ISP delivers access through them.

    Running a ping and traceroute from a PC connected to port 2 or 3 of the XG to an internet address (for e.g 8.8.8.8) only gives a Request Timed Out error

Children
  • 0 in reply to VlystriaOphecs

    Can you successfully ping or traceroute from the XG to a PC connected to port 2 or 3?

    Will

  • 0 in reply to Will32

    Hi Will,

    Pinging to the XG from a PC connected to port 2 and 3 works.

    Pinging to a PC connected to port 2 and 3 from the XG works as well.

  • 0 in reply to VlystriaOphecs

    Just a shot in the dark, but I was thinking that it may be a routing issue where you would need to add static routes to your internal networks. e.g.

    Destination: 192.168.0.0 /255.255.255.0

    Gateway:      192.168.0.1

    Interface:      Port2

     

    Destination: 192.168.1.0 /255.255.255.0

    Gateway:      192.168.1.1

    Interface:      Port3

     

    Since you can ping from the XG to internal devices, this is probably not the issue.

     

    Will

  • 0 in reply to VlystriaOphecs

    Vlystria,

    can you share the output of tracert 8.8.8.8?

    Thanks.

  • 0 in reply to VlystriaOphecs

    One additional question / idea, if Luk has not already sorted this out for you.

    If I understand correctly, the "Destination Network" in the policy is used to specify the allowed destinations for the incoming internal traffic.

    From the help screen - "Select the destination network(s) allowed to the user"

    Since you specified the Destination Network as:

    Destination network: Port1.10

    Destination network: Port1.20

    I suspect that your policies are not allowing outbound traffic to the internet, but rather only to the subnets associated with Port1.10 and Port1.20..

    Have you tried specifying Destination Network as Any, since the traffic is destined for the internet?"

    Will

  • 0 in reply to Will32

    Hi Will,

    That's an idea to check out.

    That said, I'm out of town right now so I'm unable to do any test on the XG. I'll test it when I'm back.

  • 0 in reply to VlystriaOphecs

    Hi Will,

    I have changed the destination networks to " Any" and yielded the same results.

    Hi lferrara,

    I have edited the main post to include the ping and traceroute results for reference.

    By the way, I have also changed the IP address and DHCP scopes as well.

  • 0 in reply to VlystriaOphecs

    Vlystria,

    who is 192.168.1.16? Are you able to draw a network map and share it with all IPs?

    Thanks.

  • 0 in reply to VlystriaOphecs

    Vlystria,

    is "Rewrite source address" enabled? What address are the 2 VLAN using?

    Expand policy rule and share the screenshots.

  • 0 in reply to lferrara

    Hi Ifterrara,

    As per the interfaces screenshot, 192.168.1.16 is the configured IP for the LAG interface.

    As for the policies, only policy ID 1 and 2 is defined and the screenshots are in the original post.

    Also, for all policies, "Rewrite source address" has been enabled. Screenshots for all policies can be found in the original post.

    For the VLANs, these are configured as DHCP and configured on the WAN interface as mentioned on the original post.

    The reason which I mentioned before is that my ISP delivers the access via VLAN trunk, where VLAN 10 is for internet and VLAN 20 is for IPTV where IPTV requires packets to be marked with PCP value of 4.

    Thank you